2FA: Is Google Voice really a good second form of Authentication?

Questions on how we spend our money and our time - consumer goods and services, home and vehicle, leisure and recreational activities
Post Reply
Topic Author
Samosa22
Posts: 341
Joined: Tue Dec 31, 2019 10:51 am

2FA: Is Google Voice really a good second form of Authentication?

Post by Samosa22 »

Inspired and motivated by some excellent posts on BH, I have started to adopt better online security practices such as using password manager (Bitwarden), 2FA, and using YubiKey wherever possible. Since many financial institutions don't allow YubiKey as a second form of authentication, I am still forced to use phone as a second factor. So,I want to eliminate the possibility of SIM swapping (especially because I use a very cheap phone service and I am sure it’s a relatively easy target for hackers). I have read that Google Voice (GV) is a good tool to protect against swim swap but I am struggling to understand how? I have obtained a GV number, which goolge issued to me only after I linked my SIM-based number. Now I see two options under GV settings:

1. Forward messages to the linked phone number. If I choose this option and later the linked number is SIM-swapped, the hacker will have access to my GV messages. We are back to the problem I intended to eliminate.

2. Forward messages to my Gmail. This will eliminate SIM-swapping but now it is no more an “independent” form of authentication i.e., it is effectively asking FI to use my email as a form of authentication, which they will be using anyways if and when needed (for example to reset my password).

Am I missing something? Is there a third option you are using with GV? Thanks in advance for your help!
Diversification is protection against ignorance - WB.
mrb09
Posts: 316
Joined: Wed Aug 03, 2016 9:02 am

Re: 2FA: Is Google Voice really a good second form of Authentication?

Post by mrb09 »

I’m not as concerned about sim swapping (although I probably should be), I’m more concerned with losing my phone :) So I have google voce as a text number for financial services that only support phone as second auth method. For google itself, I use their authenticator as primary second auth, then backup codes in 1Password cloud + hard copy.

I keep the gvoice app on my phone as a device and not a linked number, so it isn’t tied to my sim. I assume/hope that if my phone is physically stolen, I have enough time to disable the gvoice link to my device (there’s a setting for that) and/or wipe my phone before they break into anything.
Northern Flicker
Posts: 7263
Joined: Fri Apr 10, 2015 12:29 am

Re: 2FA: Is Google Voice really a good second form of Authentication?

Post by Northern Flicker »

Samosa22 wrote: 2. Forward messages to my Gmail. This will eliminate SIM-swapping but now it is no more an “independent” form of authentication i.e., it is effectively asking FI to use my email as a form of authentication, which they will be using anyways if and when needed (for example to reset my password).
If a financial services provider will allow 2FA to a google voice number, and you set it up, forwarding the GV text traffic to email is the correct approach. The email would be mapped to your phone email client, and the same email address would be with the financial services if they did a password reset or 2FA by email.

That google account would be protected with a hard token 2FA and not used for any other email traffic nor forvother google service.

The phone should be encrypted and a minimum 16-character phone password used. Additionally a fingerprint would be used so that you don't have to type in a long password to use the phone.

The phone encryption and long password protects you if your phone is lost or stolen. Getting the 2FA from GV by email protects you from a SIM/phone# swap because the new phone won't have your email.

Ideally, you would not type in a password on the same device where you get 2FA, which means not logging in with a phone app. This is so there is not a single point of compromise (in this case your phone) that compromises your account(s).

There is one major issue I can see, which is getting locked out of your google account. This should not stop the plumbing from working which means you can likely move it all to a new account.
My postings are my opinion, and never should be construed as a recommendation to buy, sell, or hold any particular investment.
palanzo
Posts: 2146
Joined: Thu Oct 10, 2019 4:28 pm

Re: 2FA: Is Google Voice really a good second form of Authentication?

Post by palanzo »

Northern Flicker wrote: Mon Oct 12, 2020 7:37 pm
Samosa22 wrote: 2. Forward messages to my Gmail. This will eliminate SIM-swapping but now it is no more an “independent” form of authentication i.e., it is effectively asking FI to use my email as a form of authentication, which they will be using anyways if and when needed (for example to reset my password).
If a financial services provider will allow 2FA to a google voice number, and you set it up, forwarding the GV text traffic to email is the correct approach. The email would be mapped to your phone email client, and the same email address would be with the financial services if they did a password reset or 2FA by email.

That google account would be protected with a hard token 2FA and not used for any other email traffic nor forvother google service.

The phone should be encrypted and a minimum 16-character phone password used. Additionally a fingerprint would be used so that you don't have to type in a long password to use the phone.

The phone encryption and long password protects you if your phone is lost or stolen. Getting the 2FA from GV by email protects you from a SIM/phone# swap because the new phone won't have your email.

Ideally, you would not type in a password on the same device where you get 2FA, which means not logging in with a phone app. This is so there is not a single point of compromise (in this case your phone) that compromises your account(s).

There is one major issue I can see, which is getting locked out of your google account. This should not stop the plumbing from working which means you can likely move it all to a new account.
It is more secure to use the Google Voice app on a phone and not forward texts to an email client. That along with protecting the Google account with a hardware key like a YubiKey.
tommy85
Posts: 206
Joined: Wed Sep 05, 2018 4:11 pm

Re: 2FA: Is Google Voice really a good second form of Authentication?

Post by tommy85 »

I just went through this transition. If you go Google voice route, I would not forwards texts and calls to your cell phone number. That would defeat the purpose. I would keep GV separate and use it via app. Downside to this is if your Google account is hacked, then you have too many eggs in same basket. Also not all institutions let you use VoIP for 2FA texts. So depending on what institutions you do business with, you may still have to use your cellular phone number for receiving some texts.

What I have done is, I am using Gmail to get the codes via email and I have secured my Google account with yubikey, back up codes and via 2FA using Authy. Hopefully it makes it harder to hack my Google account and I also will not lock myself out of my account if I were to lose my phone. The back up codes are sitting in my safe and Authy is backed up to cloud with a copy on my desktop.
Mr. Market is Bipolar.
palanzo
Posts: 2146
Joined: Thu Oct 10, 2019 4:28 pm

Re: 2FA: Is Google Voice really a good second form of Authentication?

Post by palanzo »

tommy85 wrote: Mon Oct 12, 2020 7:45 pm I just went through this transition. If you go Google voice route, I would not forwards texts and calls to your cell phone number. That would defeat the purpose. I would keep GV separate and use it via app. Downside to this is if your Google account is hacked, then you have too many eggs in same basket. Also not all institutions let you use VoIP for 2FA texts. So depending on what institutions you do business with, you may still have to use your cellular phone number for receiving some texts.

What I have done is, I am using Gmail to get the codes via email and I have secured my Google account with yubikey, back up codes and via 2FA using Authy. Hopefully it makes it harder to hack my Google account and I also will not lock myself out of my account if I were to lose my phone. The back up codes are sitting in my safe and Authy is backed up to cloud with a copy on my desktop.
You will not lock yourself out of your Google account if you were to lose your phone. All you would need to do is log in on your computer and get GV texts that way. You are making things less secure by using a YubiKey, back up codes and Authy. All you are doing increasing the attack surface.
tommy85
Posts: 206
Joined: Wed Sep 05, 2018 4:11 pm

Re: 2FA: Is Google Voice really a good second form of Authentication?

Post by tommy85 »

palanzo wrote: Mon Oct 12, 2020 7:52 pm
tommy85 wrote: Mon Oct 12, 2020 7:45 pm I just went through this transition. If you go Google voice route, I would not forwards texts and calls to your cell phone number. That would defeat the purpose. I would keep GV separate and use it via app. Downside to this is if your Google account is hacked, then you have too many eggs in same basket. Also not all institutions let you use VoIP for 2FA texts. So depending on what institutions you do business with, you may still have to use your cellular phone number for receiving some texts.

What I have done is, I am using Gmail to get the codes via email and I have secured my Google account with yubikey, back up codes and via 2FA using Authy. Hopefully it makes it harder to hack my Google account and I also will not lock myself out of my account if I were to lose my phone. The back up codes are sitting in my safe and Authy is backed up to cloud with a copy on my desktop.
You will not lock yourself out of your Google account if you were to lose your phone. All you would need to do is log in on your computer and get GV texts that way. You are making things less secure by using a YubiKey, back up codes and Authy. All you are doing increasing the attack surface.
You do have a point. Maybe I will disable the back up codes and Authy and just keep yubikey.
Mr. Market is Bipolar.
palanzo
Posts: 2146
Joined: Thu Oct 10, 2019 4:28 pm

Re: 2FA: Is Google Voice really a good second form of Authentication?

Post by palanzo »

tommy85 wrote: Mon Oct 12, 2020 8:04 pm
palanzo wrote: Mon Oct 12, 2020 7:52 pm
tommy85 wrote: Mon Oct 12, 2020 7:45 pm I just went through this transition. If you go Google voice route, I would not forwards texts and calls to your cell phone number. That would defeat the purpose. I would keep GV separate and use it via app. Downside to this is if your Google account is hacked, then you have too many eggs in same basket. Also not all institutions let you use VoIP for 2FA texts. So depending on what institutions you do business with, you may still have to use your cellular phone number for receiving some texts.

What I have done is, I am using Gmail to get the codes via email and I have secured my Google account with yubikey, back up codes and via 2FA using Authy. Hopefully it makes it harder to hack my Google account and I also will not lock myself out of my account if I were to lose my phone. The back up codes are sitting in my safe and Authy is backed up to cloud with a copy on my desktop.
You will not lock yourself out of your Google account if you were to lose your phone. All you would need to do is log in on your computer and get GV texts that way. You are making things less secure by using a YubiKey, back up codes and Authy. All you are doing increasing the attack surface.
You do have a point. Maybe I will disable the back up codes and Authy and just keep yubikey.
For Google accounts you need two YubiKeys. I think that is the best way to go.
Northern Flicker
Posts: 7263
Joined: Fri Apr 10, 2015 12:29 am

Re: 2FA: Is Google Voice really a good second form of Authentication?

Post by Northern Flicker »

Two yubikeys should work, maybe rotating which you use on a quarterly basis, so if the backup one fails you identify that before the other one fails as well.
My postings are my opinion, and never should be construed as a recommendation to buy, sell, or hold any particular investment.
palanzo
Posts: 2146
Joined: Thu Oct 10, 2019 4:28 pm

Re: 2FA: Is Google Voice really a good second form of Authentication?

Post by palanzo »

Northern Flicker wrote: Mon Oct 12, 2020 10:39 pm Two yubikeys should work, maybe rotating which you use on a quarterly basis, so if the backup one fails you identify that before the other one fails as well.
Why would you think a YubiKey would fail? It's a passive device. Nothing wrong with rotating.
Northern Flicker
Posts: 7263
Joined: Fri Apr 10, 2015 12:29 am

Re: 2FA: Is Google Voice really a good second form of Authentication?

Post by Northern Flicker »

palanzo wrote: It is more secure to use the Google Voice app on a phone and not forward texts to an email client.
Possibly, but many service providers offer the person trying to login the choice to receive 2FA by email instead of voice, whence the email client is already part of the attack surface. The GV app is a black box to me from a security perspective, and with software, it is usually best to assume it is "guilty until proven innocent."
My postings are my opinion, and never should be construed as a recommendation to buy, sell, or hold any particular investment.
Northern Flicker
Posts: 7263
Joined: Fri Apr 10, 2015 12:29 am

Re: 2FA: Is Google Voice really a good second form of Authentication?

Post by Northern Flicker »

palanzo wrote: Mon Oct 12, 2020 10:51 pm
Northern Flicker wrote: Mon Oct 12, 2020 10:39 pm Two yubikeys should work, maybe rotating which you use on a quarterly basis, so if the backup one fails you identify that before the other one fails as well.
Why would you think a YubiKey would fail? It's a passive device. Nothing wrong with rotating.
All hardware can fail.
My postings are my opinion, and never should be construed as a recommendation to buy, sell, or hold any particular investment.
palanzo
Posts: 2146
Joined: Thu Oct 10, 2019 4:28 pm

Re: 2FA: Is Google Voice really a good second form of Authentication?

Post by palanzo »

Northern Flicker wrote: Mon Oct 12, 2020 10:57 pm
palanzo wrote: It is more secure to use the Google Voice app on a phone and not forward texts to an email client.
Possibly, but many service providers offer the person trying to login the choice to receive 2FA by email instead of voice, whence the email client is already part of the attack surface. The GV app is a black box to me from a security perspective, and with software, it is usually best to assume it is "guilty until proven innocent."
In that case you use the Gmail app for the locked down Google account. Same account as for the GV for text of voice. The attack surface is the the same because it is the same Google account.
Northern Flicker
Posts: 7263
Joined: Fri Apr 10, 2015 12:29 am

Re: 2FA: Is Google Voice really a good second form of Authentication?

Post by Northern Flicker »

Sure. But I'm not sure whether it matters if you forward the text codes to the email account associated with GV account and map that to a mail client on the phone or use both the GV app and a mail client. The latter does have a larger app footprint on the phone, however.
My postings are my opinion, and never should be construed as a recommendation to buy, sell, or hold any particular investment.
acegolfer
Posts: 2455
Joined: Tue Aug 25, 2009 9:40 am

Re: 2FA: Is Google Voice really a good second form of Authentication?

Post by acegolfer »

Samosa22 wrote: Mon Oct 12, 2020 6:55 pm So,I want to eliminate the possibility of SIM swapping (especially because I use a very cheap phone service and I am sure it’s a relatively easy target for hackers). I have read that Google Voice (GV) is a good tool to protect against swim swap but I am struggling to understand how?
Correct. GV is safer than regular mobile phone number against SIM swap. But it also has its own faults. For example, if your gmail account is hacked then your GV is also hacked (not really 2FA).
mptfan
Posts: 6477
Joined: Mon Mar 05, 2007 9:58 am

Re: 2FA: Is Google Voice really a good second form of Authentication?

Post by mptfan »

palanzo wrote: Mon Oct 12, 2020 8:11 pm For Google accounts you need two YubiKeys. I think that is the best way to go.
I don't mean to pick nits, but you do not need Yubikeys for Google accounts... you do need at least two *security keys*, but they don't have to be Yubikeys.
palanzo
Posts: 2146
Joined: Thu Oct 10, 2019 4:28 pm

Re: 2FA: Is Google Voice really a good second form of Authentication?

Post by palanzo »

mptfan wrote: Tue Oct 13, 2020 2:10 pm
palanzo wrote: Mon Oct 12, 2020 8:11 pm For Google accounts you need two YubiKeys. I think that is the best way to go.
I don't mean to pick nits, but you do not need Yubikeys for Google accounts... you do need at least two *security keys*, but they don't have to be Yubikeys.
True, but. I personally recommend YubiKeys as they are completely designed and manufactured in Sweden or the USA. I would look at supply chain issues for other hardware keys. I don't work for Yubico or have any financial interest. I do have a strong security interest.
Northern Flicker
Posts: 7263
Joined: Fri Apr 10, 2015 12:29 am

Re: 2FA: Is Google Voice really a good second form of Authentication?

Post by Northern Flicker »

One other point is that many financial institutions only have a provision for 1 mobile number. You may need to be able to take voice calls at the GV number for it to work as the phone number on file with an institution. If the number is mapped to a mobile phone number, essentially being in the role of a phone number alias, then a sim swap or phone number port would capture that traffic. The Google supplied GV app may (likely will?) address this issue adequately, which could be a reason the app is mandatory for this solution to remediate the security risk adequately.
My postings are my opinion, and never should be construed as a recommendation to buy, sell, or hold any particular investment.
benway
Posts: 87
Joined: Thu Jun 30, 2011 5:17 pm

Re: 2FA: Is Google Voice really a good second form of Authentication?

Post by benway »

I've been using Google Voice as my second factor for quite some time and have text message based two-factor authentication (2FA) text codes sent to that number. I also use Authy for PIN based 2FA where possible. However, I just ran across this warning from 2014 on Authy's website:
Over the past few months we’ve seen a large amount of accounts being compromised on several of our clients sites. All of them had Two-Factor Authentication. How were they hacked then?

Simple. First the attacker compromises the user e-mail. The email is compromised mostly via phishing or by stealing the cookie using a malicious browser extension. Because Google uses the same cookie/account for all of their products the attacker can also access voice.google.com. Here, the attacker can see any SMS messages sent to you in real-time. This means that the attacker can now easily reset your password on any website since he has access to your e-mail and then use voice.google.com to retrieve the Two-Factor Authentication code.
Source: https://authy.com/blog/do-not-use-your- ... ntication/

How big of a risk is this? Is using Google Voice a greater risk than having 2FA texts sent to your cell phone number and potentially having your phone SIM hijacked? I do have a passcode set up for my cell number to help prevent SIM hijacks but I know that can be compromised too.
Kagord
Posts: 586
Joined: Fri Nov 23, 2018 1:28 pm

Re: 2FA: Is Google Voice really a good second form of Authentication?

Post by Kagord »

From what I understand, if you use a Yubikey, Google access is locked to your device, and some cookie that is hijacked isn't going to work. Maybe someone else can confirm, would like to know if this is not a valid assumption.
TravelGeek
Posts: 4274
Joined: Sat Oct 25, 2014 3:23 pm

Re: 2FA: Is Google Voice really a good second form of Authentication?

Post by TravelGeek »

Protecting email with 2FA is probably a good idea. Being careful with browser extensions is probably a good idea. I created a separate Google account for a 2FA Google Voice number. I don’t use that account for anything else.
Last edited by TravelGeek on Sat Jan 16, 2021 1:47 pm, edited 2 times in total.
Nummerkins
Posts: 536
Joined: Tue Jun 01, 2010 4:41 pm

Re: 2FA: Is Google Voice really a good second form of Authentication?

Post by Nummerkins »

No, its not. I personally know of people who have been permanently locked out of their Google accounts. There is no recourse, no support and no phone number to call. That's it.

Not to mention once Vanguard gets around to blacklisting Google Voice they will not provide advance notice.
Today's high is tomorrow's low.
User avatar
Gray
Posts: 813
Joined: Sat Apr 16, 2011 5:33 am
Location: Virginia

Re: 2FA: Is Google Voice really a good second form of Authentication?

Post by Gray »

I use my GV # as an additional factor for some services. I run the app on my phone with messages to email. I have MFA in-place to access my Google Account, with backed up one-time authentication codes.
kevinf
Posts: 327
Joined: Mon Aug 05, 2019 11:35 pm

Re: 2FA: Is Google Voice really a good second form of Authentication?

Post by kevinf »

Nummerkins wrote: Sat Jan 16, 2021 1:46 pm No, its not. I personally know of people who have been permanently locked out of their Google accounts. There is no recourse, no support and no phone number to call. That's it.

Not to mention once Vanguard gets around to blacklisting Google Voice they will not provide advance notice.
As for the last bit of your post... that is doomsaying and I find that HIGHLY unlikely given the preponderance of VOIP in this age and it's likely growth in the future. The first part of your post is addressed below by the other poster.

Gray wrote: Sat Jan 16, 2021 4:30 pm I use my GV # as an additional factor for some services. I run the app on my phone with messages to email. I have MFA in-place to access my Google Account, with backed up one-time authentication codes.
Yes, to lose complete access to your account requires extreme carelessness. You are given 10 one-time-use codes to unlock your account if your hardware token is lost. Ten!

To be completely and permanently locked out that means:
  • You lost your hardware token
  • You lost your backup hardware token
  • You lost your 10 one time use backup codes
Post Reply